############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Thales SafeNet: Windows Logon Agent [1] # Vendor: Thales [2] # CSNC ID: CSNC-2022-002 # CVE ID: CVE-2021-42138 [3] # Subject: Hardcoded Credentials # Risk: High # Effect: Locally exploitable # Author: Philipp Mao # Date: 9.6.2022 # ############################################################# Introduction: ------------- Thales SafeNet for windows allows users to login to their windows workstation without entering a password, only using their smartphone. The windows logon agent uses DPAPI with a static entropy and the localmachine scope to encrypt local user passwords. Local users on the machine are able to decrypt the passwords of other users. Affected: --------- 3.4.4 < Windows Logon Agent < 3.5.1 Technical Description --------------------- An incomplete fix for CSNC-2021-016 was implemented in version 3.4.5. Passwords are now stored in an encrypted database file. However, all the key material is readable for a normal user and DPAPI encryption is still done with LocalMachine. It is thus possible for a normal user to decrypt the passwords. A exploit program can simply import and invoke the following exported functions of the new DLL CredCryptoHelper.dll (which manages the encrypted database). 1. init 2. getCachedADCredential 3. getADCredEntropy 4. Use the two values with CryptUnprotectData The resulting blob can then be decrypted using the CryptoCOM.dll file along with the KeyFile/agent.bsidkey 1. _CryptoPP_GetDecryptedKeyFromFile 2. _CryptoPP_GetDecryptedKey 3. _CryptoPP_DecryptAESGCM After these steps the password is decrypted. Workaround / Fix: ----------------- Update to Windows Logon Agent version 3.5.1 and Set the registry key SetCachingToCurrentUser to 1 Timeline: --------- 2021-01-31: Discovery by Philipp Mao 2021-02-09: Initial vendor notification/response 2022-06-08: Fixed version released 2022-10-05: Advisory publication References: ----------- [1] https://cpl.thalesgroup.com/access-management/safenet-trusted-access [2] https://cpl.thalesgroup.com/ [3] https://www.cve.org/CVERecord?id=CVE-2021-42138